Project

General

Profile

Actions

Bug #58816

closed

Response Splitting Vulnerability

Added by Sven Carstens over 10 years ago. Updated about 6 years ago.

Status:
Closed
Priority:
Must have
Assignee:
-
Category:
-
Target version:
-
Start date:
2014-05-15
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
4.7
PHP Version:
Tags:
Complexity:
Is Regression:
No
Sprint Focus:

Description

TYPO3 4.7.18 is vulnerable to Response Splitting (http://en.wikipedia.org/wiki/HTTP_response_splitting)

A recent security audit on our installed customer systems discovered a Response Splitting vulnerability that can be triggered via the redirect_url paramater used by the felogin extension.

The request:
curl -i http://localhost/ --data 'logintype=login&pass=g00dPa%24%24w0rD&pid=0&redirect_url=%0d%0aSomeCustomInjectedHeader:injected&submit=Anmelden&tx_felogin_pi1%5bnoredirect%5d=0&user=wwibephd'

The Response headers:
---------------------
HTTP/1.1 303 See Other
Date: Wed, 14 May 2014 14:06:25 GMT
Server: Apache/2.2.22 (Ubuntu)
X-Powered-By: PHP/5.3.10-1ubuntu3.11
Location: http://localhost/
SomeCustomInjectedHeader:injected
Vary: Accept-Encoding
Content-Length: 0
Content-Type: text/html
---------------------

This issue should be fixed in the redirect utility method inside of class.t3lib_utility_http.php inside of the function redirect Line 96.
- header('Location: ' . t3lib_div::locationHeaderUrl($url));
+ header('Location: ' . rawurlencode(t3lib_div::locationHeaderUrl($url)));

The fix should be ported to the other TYPO3 version that are currently supported.


Related issues 2 (0 open2 closed)

Related to TYPO3 Core - Task #58850: Redirect URLs containing special chars may lead to garbled headersClosed2014-05-16

Actions
Related to TYPO3 Core - Task #73700: Remove security fix for #58816 as of PHP7ClosedAlexander Opitz2016-02-26

Actions
Actions #1

Updated by Markus Klein over 10 years ago

  • Project changed from TYPO3 Core to 1716
Actions #2

Updated by Nicole Cordes over 10 years ago

Just tested with TYPO3 4.5 and PHP 5.3

REQUEST: ******
POST http://typo3-4-5.local HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 10.36.10.5
Accept: */*
Content-Length:159

logintype=login&pass=g00dPa%24%24w0rD&pid=0&redirect_url=%0d%0aSomeCustomInjectedHeader:injected&submit=Anmelden&tx_felogin_pi1%5bnoredirect%5d=0&user=wwibephd

RESPONSE: ******
HTTP/1.1 200 OK
Date: Thu, 15 May 2014 12:40:21 GMT
Server: Apache/2.2.26 (Win32) PHP/5.3.7
X-Powered-By: PHP/5.3.7
Set-Cookie: fe_typo_user=498ff7037501c1f0b66e448eb41ee8e2; path=/
Last-Modified: Mon, 02 Aug 2010 11:10:03 GMT
Expires: Fri, 16 May 2014 00:40:21 GMT
ETag: "5b30c448d52edea405081000b6edc5e5"
Cache-Control: max-age=43200
Pragma: public
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8

Actions #3

Updated by Oliver Hader over 10 years ago

Could not reproduce with PHP 5.3.28. Any string containing CR/LF and passed to PHP's header() method is just not outputted.
However, I'm wondering why FrontendLoginController::validateRedirectUrl() is not catching the invalid return URL...

Actions #4

Updated by Helmut Hummel over 10 years ago

  • Project changed from 1716 to TYPO3 Core
  • Status changed from New to Closed

This is not possible with PHP versions > 5.1.3 (see http://de2.php.net/manual/en/function.header.php)

Response by mail from Sven Carstens by mail:

this seems to be a false positive, as the required injection of %0d%0a%0d%0a to split the headers does in fact fail.

Actions #5

Updated by Helmut Hummel over 10 years ago

  • Project changed from TYPO3 Core to 1716
Actions #6

Updated by Helmut Hummel over 10 years ago

  • Project changed from 1716 to TYPO3 Core
Actions #7

Updated by Gerrit Code Review almost 9 years ago

  • Status changed from Closed to Under Review

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/44898

Actions #8

Updated by Gerrit Code Review almost 9 years ago

Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/44898

Actions #9

Updated by Helmut Hummel almost 9 years ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100
Actions #10

Updated by Gerrit Code Review almost 9 years ago

  • Status changed from Resolved to Under Review

Patch set 1 for branch TYPO3_6-2 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/44900

Actions #11

Updated by Helmut Hummel almost 9 years ago

  • Status changed from Under Review to Resolved
Actions #12

Updated by Benni Mack about 6 years ago

  • Status changed from Resolved to Closed
Actions

Also available in: Atom PDF